search

GreyNoise-Intelligence / 2024-09-noise-storms

Notes and receipts (PCAPs) for TCP and ICMP Noise Storms
MIT License
46 stars 0 forks source link

ICMP packets #1

Open Andoryuuta opened 1 week ago

Andoryuuta commented 1 week ago

Hello!

First of all: this is pretty neat, so thanks for sharing!

After looking at it a bit, the ICMP data seems to always be 56 bytes in length and follow the format:

byte magic[4]; // "LOVE"
byte unknown_identifier[4];
byte unix_timestamp_ms[8]; // uint64_t unix_timestamp_ms; (little-endian)
byte padding[40]; // Only null bytes, no data.

The provided timestamps seem fairly truthful - a few tens of milliseconds off from the actual received time logged in the pcap.

Under the assumption that the client(s) generating these packets are syncing with an NTP server somewhere and are providing truthful timestamps, I wonder if you could get a (very rough) geographic origin of these packets by looking at the delta between the receive time and client-provided timestamp in various locations.

Does GreyNoise have multiple geographically-diverse sensors that are seeing the LOVE ICMP packets?

IS-AA commented 5 days ago

Hello @Andoryuuta, very interesting idea but packets of several attack will be different TS (and different geoip and so NTP) I think we have to assume that there is no a single client that generate all targets (requests), that would be too dumb and inefficient.

From web news we can know that It appears that these waves of fake Internet traffic originate from millions of spoofed IP addresses from a variety of sources, including the CDNs of Chinese platforms QQ, WeChat and WePay, and target specific vendors (such as Cogent, Lumen and Hurricane Electric) while avoiding others , such as Amazon Web Services (AWS).

Akshit-ls commented 1 day ago

On some of the IP address DoD is listening. Traceroute Tracing route to 43.152.0.24 [43.152.0.24]...

hop rtt rtt rtt ip address fully qualified domain name 1 1 0 0 169.254.158.58
2 1 1 0 169.48.118.156 ae103.ppr01.dal13.networklayer.com 3 19 32 1 169.48.118.128 80.76.30a9.ip4.static.sl-reverse.com 4 3 2 2 169.45.18.86 ae16.cbs01.eq01.dal03.networklayer.com 5 1 1 1 50.97.17.55 ae33.bbr02.eq01.dal03.networklayer.com 6 52 36 36 84.16.6.197 7 142 142 142 213.140.35.119
8 141 141 141 5.53.3.142
9 142 142 142 213.140.36.17
10 154 150 159 216.184.112.59 gvt-te-0-1-0-24-2-4-grtriotw2.priv.net.telefonicaglobalsolutions.com 11 151 149 150 30.33.185.38
12 155 151 150 30.33.174.225
13 147 148 148 43.152.0.24

Network Whois record Queried whois.arin.net with "n 30.33.174.225"...

NetRange: 30.0.0.0 - 30.255.255.255 CIDR: 30.0.0.0/8 NetName: DNIC-NET-030 NetHandle: NET-30-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS:
Organization: DoD Network Information Center (DNIC) RegDate: 1991-07-01 Updated: 2009-06-19 Ref: https://rdap.arin.net/registry/ip/30.0.0.0

OrgName: DoD Network Information Center OrgId: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US RegDate:
Updated: 2011-08-17 Ref: https://rdap.arin.net/registry/entity/DNIC